Malware Analysis Report

2025-08-10 19:33

Sample ID 231116-cfne7sgc8z
Target 16112023_1001_T2.jpg.ps1
SHA256 47f11e01187fdda999732db919d3cb2b37a114411328f6544871234456f8966b
Tags
asyncrat rxr* rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

47f11e01187fdda999732db919d3cb2b37a114411328f6544871234456f8966b

Threat Level: Known bad

The file 16112023_1001_T2.jpg.ps1 was found to be: Known bad.

Malicious Activity Summary

asyncrat rxr* rat

AsyncRat

Async RAT payload

Checks computer location settings

Suspicious use of SetThreadContext

Drops file in System32 directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-16 02:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-16 02:01

Reported

2023-11-16 02:03

Platform

win7-20231020-en

Max time kernel

136s

Max time network

120s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\16112023_1001_T2.jpg.ps1

Signatures

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\16112023_1001_T2.jpg.ps1

C:\Windows\system32\taskeng.exe

taskeng.exe {A751D231-E90E-4A17-A5BE-76F0ACF34ABF} S-1-5-21-1154728922-3261336865-3456416385-1000:TLIDUQCQ\Admin:Interactive:[1]

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Users\Public\libraries.vbs"

C:\Windows\System32\cmd.exe

cmd /c ""C:\Users\Public\libraries.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\libraries.ps1'"

Network

N/A

Files

memory/2192-4-0x000000001B270000-0x000000001B552000-memory.dmp

memory/2192-5-0x00000000024E0000-0x00000000024E8000-memory.dmp

memory/2192-6-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

memory/2192-7-0x0000000002900000-0x0000000002980000-memory.dmp

memory/2192-8-0x0000000002900000-0x0000000002980000-memory.dmp

memory/2192-9-0x0000000002900000-0x0000000002980000-memory.dmp

memory/2192-10-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

memory/2192-11-0x0000000002900000-0x0000000002980000-memory.dmp

memory/2192-15-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

C:\Users\Public\libraries.vbs

MD5 882c260115cfacc236251d065cc23c4c
SHA1 cee58dd936e493370224db57ca49c4d6c0cbfeff
SHA256 1d1595fdd363891dd2d9d081059b2dcbca1edc72c80b6c637436a9090ba2564a
SHA512 d1279bcc0150ba96164445a98fdb5ff5ef6cde81460af71612ee0f0a7ac8155f9d3a73aa26ccb53a9da6493e078aef42e20ca26011f0f5aa855f5ced61236641

C:\Users\Public\libraries.bat

MD5 440e905a6fcf6bcc0ffe763896e21044
SHA1 89bf89ca871095dd7431147a4e0c993bfdba897e
SHA256 aae3e34c1f6bf5eaf7c91afec528d24ac1b10272705be506653b29df17d6e834
SHA512 f324dbff528e9579f81af84c09ab45ef87cd8e516cb22a5f99e432d4d1ca528f3e5d8f7a1f479076a89c18cd44bbaa10df4f6a1fcdc3fe8937febadb892d89fd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 aca36eac26e2ccc8cb48d3b3869beaba
SHA1 9b0df50cd9b6eaa4bd244a5735097c627a95fda2
SHA256 773aa3c44c6c70859f219338fc6047362551f312bf0e86b11af58229cab3f544
SHA512 2c32408a78478beb485378b4b2e276bd296ab4d017c4dbdd81891b71c81ac99b2caf89bb9d48973c8786d7c16e0c43ee95ab661a3240f31d83e43491d97727c4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\538XWOMD7KIJ1VI0HY80.temp

MD5 0c7b7f86b4a2885f7019bcf1ee207c46
SHA1 9edf52d329c3a674ae4d7062ad4d7c428d3a94b5
SHA256 bb27416b6175d11959e25675c7aebb0080c11b4b7f253bf926be3b93b7ce2cb5
SHA512 69e2c26708c63780e593e5158f49b03fccd9ba5950147677e3db9c2c755c14505e29b8507bec6f53b567046aad02f90ebe3f65570e30e25c5794bfe90f5b2cd4

memory/2640-23-0x000000001B360000-0x000000001B642000-memory.dmp

memory/2640-24-0x000007FEF5DE0000-0x000007FEF677D000-memory.dmp

memory/2640-25-0x0000000002980000-0x0000000002A00000-memory.dmp

memory/2640-26-0x000007FEF5DE0000-0x000007FEF677D000-memory.dmp

memory/2640-27-0x0000000002980000-0x0000000002A00000-memory.dmp

memory/2640-28-0x0000000001D40000-0x0000000001D48000-memory.dmp

C:\Users\Public\libraries.ps1

MD5 d253b8760d01942b6f0cf89884d8ce6f
SHA1 f5c10af0337c62aaf7403fb88cfe5671ef317d56
SHA256 1c2e5ff87905fd9a30d3498c37374bcb9944caaf229dd8d9d85ffa25d3ab3ae4
SHA512 77049aaa93bcba3a101b0f93571b3b633c2b98876655e63ba427219eb20fe7256f500edad9b840494ccddb5ca55f9baa8eec36020f099887fec86e4feadb8782

memory/2640-30-0x0000000002980000-0x0000000002A00000-memory.dmp

memory/2640-31-0x0000000002580000-0x0000000002592000-memory.dmp

memory/2640-32-0x000007FEF5DE0000-0x000007FEF677D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-16 02:01

Reported

2023-11-16 02:03

Platform

win10v2004-20231020-en

Max time kernel

149s

Max time network

154s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\16112023_1001_T2.jpg.ps1

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3576 set thread context of 1268 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4964 wrote to memory of 4020 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 4964 wrote to memory of 4020 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 4020 wrote to memory of 3576 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4020 wrote to memory of 3576 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3576 wrote to memory of 1268 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3576 wrote to memory of 1268 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3576 wrote to memory of 1268 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3576 wrote to memory of 1268 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3576 wrote to memory of 1268 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3576 wrote to memory of 1268 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3576 wrote to memory of 1268 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3576 wrote to memory of 1268 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\16112023_1001_T2.jpg.ps1

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Users\Public\libraries.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\libraries.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\libraries.ps1'"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 133.113.22.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 254.22.238.8.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 rxrr.duckdns.org udp
FR 185.81.157.213:6606 rxrr.duckdns.org tcp
US 8.8.8.8:53 213.157.81.185.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp
FR 185.81.157.213:6606 rxrr.duckdns.org tcp
FR 185.81.157.213:8808 rxrr.duckdns.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4ynxgfia.ski.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3696-9-0x00000224E95F0000-0x00000224E9612000-memory.dmp

memory/3696-10-0x00007FFDC1DD0000-0x00007FFDC2891000-memory.dmp

memory/3696-11-0x00000224E8E30000-0x00000224E8E40000-memory.dmp

memory/3696-12-0x00000224E8E30000-0x00000224E8E40000-memory.dmp

memory/3696-18-0x00007FFDC1DD0000-0x00007FFDC2891000-memory.dmp

C:\Users\Public\libraries.vbs

MD5 882c260115cfacc236251d065cc23c4c
SHA1 cee58dd936e493370224db57ca49c4d6c0cbfeff
SHA256 1d1595fdd363891dd2d9d081059b2dcbca1edc72c80b6c637436a9090ba2564a
SHA512 d1279bcc0150ba96164445a98fdb5ff5ef6cde81460af71612ee0f0a7ac8155f9d3a73aa26ccb53a9da6493e078aef42e20ca26011f0f5aa855f5ced61236641

C:\Users\Public\libraries.bat

MD5 440e905a6fcf6bcc0ffe763896e21044
SHA1 89bf89ca871095dd7431147a4e0c993bfdba897e
SHA256 aae3e34c1f6bf5eaf7c91afec528d24ac1b10272705be506653b29df17d6e834
SHA512 f324dbff528e9579f81af84c09ab45ef87cd8e516cb22a5f99e432d4d1ca528f3e5d8f7a1f479076a89c18cd44bbaa10df4f6a1fcdc3fe8937febadb892d89fd

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 2f57fde6b33e89a63cf0dfdd6e60a351
SHA1 445bf1b07223a04f8a159581a3d37d630273010f
SHA256 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA512 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

memory/3576-22-0x00007FFDBFAB0000-0x00007FFDC0571000-memory.dmp

memory/3576-23-0x0000028146B10000-0x0000028146B20000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 38e01d05f1a3c204a4b66f6503a154b4
SHA1 1f13df998e49ba099b8142117047ca78c7728826
SHA256 098383f853295ab4ca31292fc72f149c4d737544f973232a84f48ba060076610
SHA512 d4cf12cc636128328bca08bfefdb5cbd3d7e3fa0b9ab8de99734a9af67c18224146000e2a5b79ad3fcfbcef27290e93fcd8f9c0979c8dd95e47e123b479cbed5

memory/3576-34-0x0000028146B10000-0x0000028146B20000-memory.dmp

C:\Users\Public\libraries.ps1

MD5 d253b8760d01942b6f0cf89884d8ce6f
SHA1 f5c10af0337c62aaf7403fb88cfe5671ef317d56
SHA256 1c2e5ff87905fd9a30d3498c37374bcb9944caaf229dd8d9d85ffa25d3ab3ae4
SHA512 77049aaa93bcba3a101b0f93571b3b633c2b98876655e63ba427219eb20fe7256f500edad9b840494ccddb5ca55f9baa8eec36020f099887fec86e4feadb8782

memory/3576-36-0x0000028146C20000-0x0000028146C32000-memory.dmp

memory/1268-37-0x0000000000400000-0x0000000000416000-memory.dmp

memory/3576-39-0x00007FFDBFAB0000-0x00007FFDC0571000-memory.dmp

memory/1268-40-0x0000000075390000-0x0000000075B40000-memory.dmp

memory/1268-41-0x0000000004F60000-0x0000000004F70000-memory.dmp

memory/1268-42-0x0000000005730000-0x0000000005CD4000-memory.dmp

memory/1268-43-0x0000000005370000-0x0000000005402000-memory.dmp

memory/1268-44-0x0000000005360000-0x000000000536A000-memory.dmp

memory/1268-45-0x0000000005EC0000-0x0000000005F5C000-memory.dmp

memory/1268-46-0x0000000005E20000-0x0000000005E86000-memory.dmp